malware removal help

You have to allow CounterSpy to fix what it finds. You told it to ignore the problems! You should just uninstall Morpheus first! That is one of your big problems!

You also have too many realtime blocking antispyware applications installed. Which programs are paid versions (if any)?
CounterSPy
Ewido
Pest Patrol
Spy Sweeper

You also have Authentium's Command AV and Symantec installed. Did you read step 3 of the READ ME?

 

Sometimes this is done in order to get additional info but they should not be kept installed on a long term basis.

Please run CounterSpy again and make sure you have it FIX what it finds rather than ignore it. Then attach the new log from CounterSpy. I will probably have you uninstall CounterSpy after doing this but wait until I tell you to.


You also must follow the directions in step 7 of the READ ME and set MSconfig to Normal Startup mode. After doing this, reboot and attach new logs from HJT and GetRunKey.

 

In the last section of the log from ShowNew it lists the Uninstall Programs list. In that list you will see the below from Authentium:

"DisplayName"="Authentium"

In your HJT log you will also see the below service running:
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

This is Command Antivirus.

Are you saying that when you look in Add/Remove programs you do not see Authentium or Command Antivirus?

 

It may have been uninstalled incorrectly. Install the below:

Your Uninstaller! 2006

Now see if you can find and uninstall Authentium using Your Uninstaller. You can uninstall Your Uninstaller after using it since it is only a trial program.

 

Okay then run the below procedure and attach the log and I will create our own fix to remove it.

Why do I now see Spy Sweeper running? I did not ask you to install this! Is this a free trial or paid version?

And is CounterSpy also the free trial?

You have added some new malware to your PC that was not present in previous logs.

Is the below ProxyServer something you have setup?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=168.94.74.68:8080

 

Are you sure you have the full Freedom Security Suite (which Bellsouth is just renaming)? It does not look like it to me. Either you do not have the full suite or it is not installed correctly or it is an ineffective attempt at a security suite. In addition, this security suite (when you install all of it) contains only an antivirus, a popup blocker, and a firewall. It does not contain an antispyware program so you would still need Spy Sweeper anyway. But I still don't believe your program could be a full security suite. If it is, it does not seem to be installed correctly. Are you sure that Command AV is not part of this package????

Uninstall CounterSpy now since you have a paid version of Spy Sweeper.

Pest Patrol did show in your ShowNew log! Are you sure it is not in Add/Remove Programs?

The procedure I want you to run is this (sorry I forgot to post it last time)

Getting Uninstall Programs List From The Registry

Now continue on to the below!

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

After completing ALL of the above instructions, continue here!

Start by downloading- - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=168.94.74.68:8080
O4 - HKLM\..\Run: [WebRebates] wjview /cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKLM\..\RunOnce: [CydoorUpdate] RunDll32 C:\WINDOWS\system32\AdCache\Temp\cd_clint.dll,ServiceRunDll v
O4 - HKLM\..\RunOnce: [PPClean Remove at boot] command nul /c C:\PPCleanDeleteAtReboot.bat
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
After clicking Fix, exit HJT.


Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\AdCache\Temp\cd_clint.dll
C:\Program Files\TBONBin\tbon.exe

If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

After reboot locate the below folders and delete them if found:
C:\Program Files\WebRebates
C:\Program Files\TBONBin

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

You did not address a couple items in my previous message:

You need to look into this and answer my questions. It is possible that the package from Bellsouth automatically installs and uses Command AV and Pest Patrol. You need to determine this. If you cannot get a straight answer from Bellsouth (and I would bet you cannot), you can just uninstall this security suite and then we will see what it removes. You can then either reinstall it later or you can use better free alternatives that we have available.

I need this log!


Are you still getting error messages on anything? If so, give the exact error message.

 

Yes and now that you attached the other log I can clearly see PestPatrol and Command AV are listed and they are both part of BellSouth Internet Security.

So thus I was correct in insisting that you need to checkup on Pest Patrol and Command AV because they are installed. And as I was thinking, they are part of your package which means we did not want to remove them. HOWEVER, that being said, you should not be using Spy Sweeper now that you have Pest Patrol. They will conflict with each other and the two together will place a tremendous load on your System Resources. You really need to uninstall Spy Sweeper now.

Now since we know Pest Patrol is installed as part of your package you need to restore the below line from the backups that HijackThis creates:
O4 - HKLM\..\RunOnce: [PPClean Remove at boot] command nul /c C:\PPCleanDeleteAtReboot.bat

The Backups are found under the Misc Tools button

 

The file name is cd_clint.dll not cd_clint.ddd. We fixed the below line using HJT way back in message number 15

It is rather strange that the Bellsouth software would need this file. Cydoor is well known malware. What in the world would they need that for?

You could try restoring that line in using HJT but we also tried deleting the file using Pocket Killbox so it may be gone. I still don't like the idea of them loading this file. It is malware! It is normally detected something like below:

Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\System32\AdCache\Temp\CD_CLINT.DLL" file.

Reboot your PC right now before doing anything and write down all messages and tell me what you see. Also attach a new HJT log.

 

You have to explain what you are doing! You seem to have reinstalled the malware that we had previously cleaned up and in addition add a new malware item P2P Networking? Why did you install this and how did you get back the items we previously fixed. Goto Add/Remove programs and Uninstall P2P Networking now! The Webrebates line is where your error message from about WJView is coming from.

Your HJT log shows the below:
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WebRebates] wjview /cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

You are going to need to attach new logs from GetRunKey and ShowNew make sure you download the current versions of the programs first.

I also think that if your errors do not go away that you should completely uninstall all this stuff from Bellsouth and then reboot. And then reinstall there stuff. Keep better track of all the stuff they install and that gets added to your HJT log by them.

 

This is a two way street! You need to help me to help you which means that you must do only what I ask you to do and absolutely nothing else. I need to be sure that nothing else is being downloaded, installed, deleted, etc. And you need to provide constant feedback to all steps. Based on the last two HJT logs, I'm confused as to what you are doing.

Also look at your newfiles.txt log and explain what you are copying into the below folder:
C:\Documents and Settings\M\Local Settings\Temp\

I load of stuff looks like it was just copied their. If you are using this folder for backups that is a very BAD idea. You will lose all of them. This is a TEMP folder and should not be used for anything you need to keep. Cleaning programs and steps we need to use will delete everything in this folder.

Now your current HJT log no longer shows the lines I was questioning (accept 1) in my last message. I previously said you had these:

Now they are all gone except this:

Did you fix the other lines???? Or was the previous log an old log?

If the old log was correct, that would explain the WJView error. If the new log is correct the WJView error should be gone.

 

Please read all of the below message before you do anything.

By using A/B comparisons.

Uninstall all of the Bellsouth software and reboot.
Then save ShowNew, GetRunKey, and HJT logs.
Rename the above three logs to avoid overwriting them (or upload them here first before continuing).
Then reinstall Bellsouth and reboot again.
Now save new ShowNew, GetRunKey, and HJT logs.

This will reveal what is on your PC with and without their software.

However, what I would prefer that you do is uninstall their software reboot and attach new logs and tell me what problems you are having. I think their software may be getting in the way of us making fixes. Then we can fix everything up and then you can reinstall their software afterwards.


By the way, since you uninstall Morpheus, you should also delete the below folder that still exists:
C:\Program Files\Morpheus Toolbar

 

As I suspected your Bellsouth software was getting in the way of the cleanup.

Use HijackThis to fix the below remnant from Spy Sweeper:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now exit HJT!

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6

Now reinstall all of your Bellsouth software!

Your last HJT log was clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!